Bash Bunny: Windows Remote Shell using Metasploit & PowerShell

In this article, we will see how to use the Bash Bunny to get a full reverse shell on a Windows system using Kali Linux, PowerShell and the Metasploit Web Delivery module.

The USB Bash Bunny is the latest pentesting tool from Hak5. Using this advanced USB attack platform, you can easily perform multiple USB based attacks. The device normally emulates a keyboard and automatically sends typed commands through the USB port as soon as it is plugged in. The Bash Bunny is a programmable device that contains two separate attack modes and an arming mode.

The attack modes are set by a switch on the side. You can set up different scripts to fire whether the switch is in position 1 or 2. The arming position is for loading new scripts onto the device.

When you load an attack script on the device and plug it into the USB port, the script executes. In this case, it will make a Windows system call back to the Kali system and create a full Metasploit shell. The Metasploit shell is nice, because you have complete control over the target.

In Kali Linux, start Metasploit. We will use the Web Delivery script:

The module is pretty straight forward, we set the IP address and port for our Kali system, then select a PowerShell (PSH) based target, and lastly select the reverse TCP Meterpreter Shell. When the module runs, it will provide you with a rather lengthy PowerShell command.

We will take the PowerShell command and use it in our Bash Bunny script. Because the Bash Bunny does seem to parse some of the input, you will need to use a switch character to get it to properly execute the PowerShell command. I had to put a “\” in front of every special character.

The entire Bash Bunny Script:

The PowerShell command is a single line, it just wraps several lines in the picture above. The Q in front of the lines is short for Quack, as a reference to the Hak5 Rubber Ducky. Many of the Ducky scripts will work with the Bash Bunny with some modification.

Basically, the first line tells Bash Bunny to act like a keyboard (HID). The LED command turns the status led to Blue. “GUI R” are the commands needed to open a run prompt in Windows. The delays are so the Bash Bunny has time to type each line in, longer delays for longer commands. And that is it. When the command is done, the LED turns to green.

All that is needed is to save the script to one of the Bash Bunny Payload Switch directories. Then set the switch to the corresponding position and plug it into the target machine.

Shortly after the USB drive is inserted into the Windows PC, we get a remote shell:

After we connect to the session, we have a full Meterpreter shell and basically have full control of the remote system.

Here I just entered the command to pull a remote screenshot, and the resultant screenshot:

Bash Bunny is an exciting and fun tool for any security professional. Once you get the hang of using the device, modifying Rubber Ducky scripts or creating your own is very easy. With the flexibility of the Bash Bunny, the usage scenarios are pretty much limited only by your imagination, and an open USB port.